{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23307", "assignerOrgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "state": "PUBLISHED", "assignerShortName": "Linux", "dateReserved": "2026-01-13T15:37:45.994Z", "datePublished": "2026-03-25T10:27:02.746Z", "dateUpdated": "2026-03-25T10:27:02.746Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "shortName": "Linux", "dateUpdated": "2026-03-25T10:27:02.746Z"}, "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message\n\nWhen looking at the data in a USB urb, the actual_length is the size of\nthe buffer passed to the driver, not the transfer_buffer_length which is\nset by the driver as the max size of the buffer.\n\nWhen parsing the messages in ems_usb_read_bulk_callback() properly check\nthe size both at the beginning of parsing the message to make sure it is\nbig enough for the expected structure, and at the end of the message to\nmake sure we don't overflow past the end of the buffer for the next\nmessage."}], "affected": [{"product": "Linux", "vendor": "Linux", "defaultStatus": "unaffected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ems_usb.c"], "versions": [{"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "c703bbf8e9b4947e111c88d2ed09236a6772a471", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "1818974e1b5ef200e27f144c8cb8a246420bb54d", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "18f75b9cbdc3703f15965425ab69dee509b07785", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "1cf469026d4a2308eaa91d04dca4a900d07a5c2e", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "2833e13e2b099546abf5d40a483b4eb04ddd1f7b", "status": "affected", "versionType": "git"}, {"version": "702171adeed3607ee9603ec30ce081411e36ae42", "lessThan": "38a01c9700b0dcafe97dfa9dc7531bf4a245deff", "status": "affected", "versionType": "git"}]}, {"product": "Linux", "vendor": "Linux", "defaultStatus": "affected", "repo": "https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git", "programFiles": ["drivers/net/can/usb/ems_usb.c"], "versions": [{"version": "2.6.32", "status": "affected"}, {"version": "0", "lessThan": "2.6.32", "status": "unaffected", "versionType": "semver"}, {"version": "6.1.167", "lessThanOrEqual": "6.1.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.6.130", "lessThanOrEqual": "6.6.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.12.77", "lessThanOrEqual": "6.12.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.18.17", "lessThanOrEqual": "6.18.*", "status": "unaffected", "versionType": "semver"}, {"version": "6.19.7", "lessThanOrEqual": "6.19.*", "status": "unaffected", "versionType": "semver"}, {"version": "7.0-rc3", "lessThanOrEqual": "*", "status": "unaffected", "versionType": "original_commit_for_fix"}]}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.1.167"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.6.130"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.12.77"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.18.17"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "6.19.7"}, {"vulnerable": true, "criteria": "cpe:2.3:o:linux:linux_kernel:*:*:*:*:*:*:*:*", "versionStartIncluding": "2.6.32", "versionEndExcluding": "7.0-rc3"}]}]}], "references": [{"url": "https://git.kernel.org/stable/c/c703bbf8e9b4947e111c88d2ed09236a6772a471"}, {"url": "https://git.kernel.org/stable/c/1818974e1b5ef200e27f144c8cb8a246420bb54d"}, {"url": "https://git.kernel.org/stable/c/18f75b9cbdc3703f15965425ab69dee509b07785"}, {"url": "https://git.kernel.org/stable/c/1cf469026d4a2308eaa91d04dca4a900d07a5c2e"}, {"url": "https://git.kernel.org/stable/c/2833e13e2b099546abf5d40a483b4eb04ddd1f7b"}, {"url": "https://git.kernel.org/stable/c/38a01c9700b0dcafe97dfa9dc7531bf4a245deff"}], "title": "can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message", "x_generator": {"engine": "bippy-1.2.0"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "In the Linux kernel, the following vulnerability has been resolved:\n\ncan: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message\n\nWhen looking at the data in a USB urb, the actual_length is the size of\nthe buffer passed to the driver, not the transfer_buffer_length which is\nset by the driver as the max size of the buffer.\n\nWhen parsing the messages in ems_usb_read_bulk_callback() properly check\nthe size both at the beginning of parsing the message to make sure it is\nbig enough for the expected structure, and at the end of the message to\nmake sure we don't overflow past the end of the buffer for the next\nmessage."}], "id": "CVE-2026-23307", "lastModified": "2026-03-25T15:41:33.977", "metrics": {}, "published": "2026-03-25T11:16:26.657", "references": [{"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1818974e1b5ef200e27f144c8cb8a246420bb54d"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/18f75b9cbdc3703f15965425ab69dee509b07785"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/1cf469026d4a2308eaa91d04dca4a900d07a5c2e"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/2833e13e2b099546abf5d40a483b4eb04ddd1f7b"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/38a01c9700b0dcafe97dfa9dc7531bf4a245deff"}, {"source": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "url": "https://git.kernel.org/stable/c/c703bbf8e9b4947e111c88d2ed09236a6772a471"}], "sourceIdentifier": "416baaa9-dc9f-4396-8d5f-8c081fb06d67", "vulnStatus": "Awaiting Analysis"}

{"bugzilla": {"description": "kernel: can: ems_usb: ems_usb_read_bulk_callback(): check the proper length of a message", "id": "2451195", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2451195"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.5", "cvss3_scoring_vector": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "status": "draft"}, "cwe": "CWE-805", "details": ["A flaw was found in the Linux kernel's ems_usb module. This vulnerability occurs because the system does not properly verify the length of messages it receives. An attacker could exploit this weakness by sending specially crafted messages, potentially causing the system to crash (Denial of Service) or, in some cases, execute unauthorized code."], "mitigation": {"lang": "en:us", "value": "To mitigate this issue, prevent the ems_usb module from being loaded. See https://access.redhat.com/solutions/41278 for instructions."}, "name": "CVE-2026-23307", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:10", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 10"}, {"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 8"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel", "product_name": "Red Hat Enterprise Linux 9"}, {"cpe": "cpe:/o:redhat:enterprise_linux:9", "fix_state": "Fix deferred", "package_name": "kernel-rt", "product_name": "Red Hat Enterprise Linux 9"}], "public_date": "2026-03-25T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-23307\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-23307\nhttps://lore.kernel.org/linux-cve-announce/2026032528-CVE-2026-23307-60f2@gregkh/T"], "statement": "This flaw affects systems with EMS CPC-USB CAN adapters. The driver fails to properly validate message lengths when parsing USB URB data, potentially allowing buffer overflows. A malicious USB device could send crafted messages to trigger out-of-bounds reads or writes. Physical access to connect the USB device is required.", "threat_severity": "Moderate"}

{"analysis": {"en": {"generated_at": "2026-03-25T12:02:22.670224+00:00", "value": {"mitigation_remediation": ["Apply the latest Linux kernel release that includes the ems_usb driver fix", "If the functionality is not required, unload or disable the ems_usb module", "Limit USB device connectivity to trusted devices using udev or similar rules", "Monitor system logs for signs of abnormal USB activity or crashes"], "summary": {"action": "Immediate Patch", "impact": "Kernel memory corruption leading to possible privilege escalation"}, "threat_synthesis": {"affected_systems": "The flaw exists in the Linux kernel\u2019s ems_usb component. Any installation that loads this driver is potentially vulnerable. No specific kernel release numbers are listed; therefore all kernels containing the ems_usb module until the patch is applied are at risk.", "description_and_impact": "The ems_usb driver in the Linux kernel incorrectly uses the actual_length field of a USB URB to determine message size, leading to insufficient boundary checks when parsing bulk data. This flaw allows an attacker supplying crafted USB traffic to overflow a kernel buffer, corrupt memory, crash the system, or potentially execute arbitrary code. The vulnerability is rooted in improper length validation and falls under buffer overflow weaknesses.", "risk_and_exploitability": "No CVSS or EPSS score is available, and the vulnerability is not in the CISA KEV catalog. Historically, kernel buffer overflows can enable privilege escalation. The likely attack requires an attacker to connect a malicious USB device to the vulnerable system, which may be physically or remotely possible if USB access is enabled. Successful exploitation would depend on the ability to inject crafted bulk packets that trigger the overflow."}}}}, "created": "2026-03-25T21:15:23.151660+00:00", "updated": "2026-03-25T21:15:23.151692+00:00", "vendors": [], "weaknesses": ["CWE-119"]}